API Keys

Two different keys

adminKey

Use adminKey only for:

• /admin/status
• /admin/providers
• /admin/routing
• /admin/api-keys

adminKey is for the host owner or administrator. Do not hand it to normal client apps.

External API key

Use external API keys for:

• /v1/models
• /v1/audio/transcriptions

This is the normal credential for LAN clients and internal integrations.

Recommended issuance policy

• One key per project or device
• Avoid one shared team key
• Revoke compromised keys without affecting unrelated clients
• Track usage by integration instead of by person

Create and revoke flow

1. Open Settings → External API keys
2. Create a new key with a project-level name
3. Copy the full value immediately
4. Share it only with the owning integration
5. Revoke it when the integration is retired or compromised

Naming examples

• web-dashboard-prod
• web-dashboard-staging
• python-batch-reports
• warehouse-mic-gateway-02

Standard header

Authorization: Bearer vilab_xxxxxxxxxxxxxxxxxxxx

What is not in scope yet

This phase does not implement:

• Key scopes
• Expiration timestamps
• Per-key rate limits
• Team-managed access control